Skip main navigation

New offer! Get 30% off one whole year of Unlimited learning. Subscribe for just £249.99 £174.99. New subscribers only. T&Cs apply

Find out more

NIST SP800-115

NIST's technical guide.
© Coventry University. CC BY-NC 4.0

The Technical Guide to Information Security Testing and Assessment (also known by the catchy title NIST SP800-115) was published by the National Institute of Standard and Technology (NIST) in 2008.

It provides a relatively high-level overview for designing, implementing and maintaining technical information security test and examination processes and procedures. It is aimed at supporting organisations in planning and executing tests in finding vulnerabilities in a system or network and verifying compliance with a policy or other requirements.

The guide describes three main methods of assessment:

  • Testing – executing technical tests on the target networks and systems
  • Examination – the main non-technical assessment process of checking, inspecting, reviewing, observing, studying or analysing
  • Interviews – another non-technical assessment method described as a process of conducting discussions with individuals or groups within an organisation to facilitate understanding, achieve clarification, or identify the location of evidence

NIST SP800-115 divides a security assessment project into three phases:

  • Planning covers the initial stages of the project, such as information gathering, asset identification and threat modelling
  • Execution mainly focuses on finding system, network and organisational process vulnerabilities
  • Post-execution covers the assessment of the vulnerabilities found earlier, and their impact

The reason we have included this methodology in our list is that it provides a good discussion on the non-technical examination of the security posture of an organisation.

There are cases where we cannot simulate the target systems realistically enough and running full simulated attacks on the live production’s systems is not an option either, eg in critical infrastructure, medical environments, etc. In those environments, being able to run a non-technical examination is particularly important. This approach is also useful when verifying compliance with required standards and policies.


National Institute of Standard and Technology (2008) NIST SP800-115 [online] available from [11 April 2019]

© Coventry University. CC BY-NC 4.0
This article is from the free online

Ethical Hacking: An Introduction

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now